How to avoid getting a cap popped in your app
This is an excellent and very comprehensive presentation on drive-by downloads and modern web-based multi-layer malware. I highly recommend to watch this one if you are interested in web security.
The speaker is Dr. Neil Daswani at the 2010 AppSec conference.
Even if you are an experienced in the IT Security field, you can definitely learn something here. Great summaries and interesting concepts all the way through.
The presentation covers
- The complex layered architecture of web-based attacks
- Websites as distribution vehicles
- Risks from embedded third-party resources.
- Interesting implications for impact of the rich shared functionality used in websites of the modern internet.
How to hack client-side Java applets
This is an interesting insight from an experienced penetration tester; both into meeting the challenging demands of customer requirements and the promises of the sales team, and also an interesting way of "disassembling" and debugging a Java applet, for parameter tampering attacks.
This is a reminder, that irrespective of how obscure, and "protected" a client-side application is, you cannot trust the data that comes from the client.
Everything on the client-side can be compromised, even data from a Java virtual machine submitted with a custom-built protocol.